A List of Privacy Measures

Jan 10, 2017

… that you can take without being labeled ‘crackpot’.

This aims to document everything I use to maintain a degree of privacy in my
digital life, along with a few comments. It is targeted at intermediate Linux
users who can get everything setup without any hand holding. I had wanted to
write tutorials on what follows, but that would make the post unbearably long.
Instead, I shall try to link to pages that are good starting points.

I intend to constantly update this, so it might be a good page to bookmark.

Goals

Achieve as much privacy as possible, without sacrificing(too much)
convenience. The threshold varies from person to person. Personally, I’m not
going to give up on GMail and do something crazy like run my own private email
server, but I do bother encrypting my chats. The balance I have struck may
seem excessive to some, and most deficient to others. Use this document as a
reference to find your sweet spot.

You could also choose a flavor of BSD, and most of what follows would apply to
you.

Firejail

Most applications on your system often have access to your entire file system.
That includes ~/.ssh. Let that sink in for a minute. Proprietary code that you
run on your system could be uploading your ssh keys, your browser profile, and
your unencrypted chat history to who knows where. There is also precedent for
the free and open source Firefox being exploited to steal sensitive
data.

Firejail is a SUID program that reduces the risk of security breaches by
restricting the running environment of untrusted applications using Linux
namespaces and seccomp-bpf. It allows a process and all its descendants to
have their own private view of the globally shared kernel resources, such as
the network stack, process table, mount table.

What he said.

Here’s what I’ve got sandboxed on my PC:

Firefox

Dropbox. This doesn’t need to access anything but
~/Dropbox, and ~/.dropbox-dist. There’s some compulsive update behavior,
where it repeatedly downloads an update, but is unable to actually update
itself in this profile. I haven’t figured out a solution to it yet.

qBittorrent

Firefox

The declining market share of this browser compels me to include a ‘Why Use
Firefox’ section before we go any further.

Performance is good enough, on both Deskop & Android. Those of you who were
driven into the comforting, yet evil embrace of Google because Firefox felt
slow, do give it another try now with
Electrolysis enabled. Feels like
butter.

Mozilla is slowly replacing the rendering engine with
Servo - a lightning fast engine that leverages
your GPU for performance.

Also, follow this excellent guide
to tweaking Firefox settings for maximum privacy. I don’t personally have all of
this disabled, notably WebGL.

Disable WebRTC by setting media.peerconnection.enabled to false. Don’t do it
if you use communication apps that use WebRTC.

File Sharing / Backup

EncFs

EncFs transparently encrypts a folder on your
system. You get a folder with encrypted data that you can back up on Dropbox,
which you can mount over FUSE and access files as you would normally.

The killer feature you should look at is reverse mounting, ie, EncFs can mount a
regular unencrypted directory on your system as an encrypted mount, which you
can subsequently backup using your favorite backup program.

Consider using AES-CBC mode, and also obfuscate file names.

Dropbox

I don’t leave it running 24x7, but manually do so when I need to sync something.
It’s heavily sandboxed using Firejail.

SpiderOakONE

My one and only gripe with this program is that it isn’t open source, which
negates every claim of “zero knowledge” and “privacy” that they’ve made since
its conception. Fortunately, the three directories that I do need constantly
backed up in the cloud are actually EncFs mounts. I’ve got a cron job to run
SpiderOakONE --batchmode every three hours.

file.io

file.io deletes your file after it is downloaded once,
eliminating the possibility that you’ll leave something lying around on a remote
server. I’ve got a small shell script that uploads to
file.io which I
use all the time. Consider encrypting manually with openssl before you upload
here.

Android

Here’s the thing about Android - if you really care about privacy, don’t run it.
It’s probably logging everything from your keystrokes to contacts. If you aren’t
that hardcore, then there are steps you can take to limit the amount of data
Google gets.

Limit the number of applications you install, prefer using their mobile web
app. Using m.facebook.com in your browser is much
better than using their security nightmare of an
app.
Firefox also allows you to pin certain pages to your home screen, so you can
launch them as you would an app.

Consider using a third party keyboard app, such as
SwiftKey
or Hacker’s
Keyboard,
and completely block its access to the internet.

Carefully go through app permissions on your device, and block anything that
the app doesn’t need. Most apps don’t need to access your contacts, read your
messages, or have full internet access.

IM

Most of my conversation happens with a tiny group(< 5) of friends. I’ve
therefore moved them to public XMPP servers, and we now use open source clients
with end to end encryption to chat. Outside this group, I use whatever the other
person is using. I might do a future post detailing my setup.

Reading & Important Links

Contributing

Since this outlines my personal privacy setup, I won’t be accepting any
direct modifications. If, however, I end up using something you suggest, I’ll be
sure to put it in here. I’ll give credit where credit is due, of course.